Plugin Author
Eli
(@scheeeli)
OUCH! Troll much?
I don’t remember ever receiving any requests for help from you. You may not have noticed but my plugin has worked for countless other, and when it has missed some threat I am always happy to take a look and add the new threats to my definition updates to they too can be automatically removed.
I’m sorry my free plugin, that I have worked on very hard for long hours, does not find this one new threat that you happened to have. I was going to ask you what you found that my plugin overlooked but then I saw your second post. Can you tell me where you found this jquery.js file? I see that it’s a bit cryptic but I don’t see anything harmful in it. Can you tell me what the payload was (what did you see on your site)?
I can’t tell you how disappointed I am that you would rate my plugin so harsh based on this one experience you had when you never even tried to ask me for help. I hope we can work together to get to the bottom of this jquery.js file of yours.
Aloha, Eli
one of my client had this file and had a annonying message on top of his homepage to upgrade the plugin on his browser.
WARNING! Please update plug-in to continue
i got help from this thread
https://ww.wp.xz.cn/support/topic/strange-warning-message-update-plugin?replies=23
file location mentioned was /wp-includes/js/jcrop – jquery.js
you are right , i was a bit harsh with rating.
i shared this info only after noticing this seem like a working plugin for most of people.
Plugin Author
Eli
(@scheeeli)
Thanks form posting that follow-up. That other thread you sited was helpful. I see that this jquery.js file in the wp-includes/js/jcrop folder is being included from the hacked theme header.php files. So I have added this script tag to my definition update so that my plugin can clean that line out of infected themes, thus rendering this script inactive.
I also noticed that nobody has posted the full contents of this rogue jquery.js file. It would be very helpful, if you still have that file, if you could pastbin the whole file so that I could see then rest of what it’s trying to do and add the whole thing to my definition updates. In the first link you posted about this file it looks like it’s cut off after all that Hex content but there must be more code after that because there are function that open with a { and it would cause a syntax error if they didn’t close with a } after all that.
If you don’t have it any more then I can try to get it form somebody else that has been affected by this one. Thanks for writing me back anyway.
Aloha, Eli
i had the file on my desktop.
http://pastebin.com/S8ygTtqe
do i need to check header.php of my website too?
Plugin Author
Eli
(@scheeeli)
Thanks a bunch for pasting that whole file. I will get that added to my definition updates ASAP.
As for your header.php, it is my assumption that you have the same script tag in there that called that rogue jquery.js file. If you want to give my plugin a second chance then now is the time. Just download my new definition update and Scan you themes and it should pick up this script tag if it’s in there.
